TikTok’s trusted bio links vs multi-platform takeover: how Google SSO and open redirects let phishers hijack ad accounts
A recent campaign abuses TikTok for Business’ use of Google Single Sign-On and the platform’s permissive profile bio redirects to mount reverse-proxy AITM phishing that captures credentials and session cookies, then pivots into Google Ad Manager for large-scale ad fraud — all while evading two-factor protections with Cloudflare Turnstile–protected pages hosted on Google Storage.
How the attack chain turns a TikTok click into ad-account takeover
attackers begin with links that look like legitimate TikTok profile URLs or business communications and funnel victims through TikTok’s profile-bio redirect feature, which currently allows unvalidated outbound targets. From that trusted landing, a redirect sends the user to a Google Storage–hosted page fronted by Cloudflare Turnstile; the page runs a reverse-proxy AITM phishing kit that mirrors Google or Microsoft login flows while capturing passwords and session cookies.
Compromise here is not limited to a TikTok login. When victims used Google SSO for TikTok for Business, stolen session material or credentials give attackers simultaneous access to TikTok ad controls and linked Google Ad Manager accounts. That dual control enables malvertising campaigns and ad-fraud operations at scale, echoing prior threat activity against Google advertising but amplified by TikTok’s social-trust surface.
Why 2FA and static IoCs are unreliable against this kit
The reverse-proxy kit intercepts second-factor sessions and harvests cookies, which can replay valid sessions or mint new ones, so ordinary TOTP or SMS 2FA often does not block the takeover. Phishing pages also autofill victim emails and display legitimate-looking support links and numbers, increasing credibility for corporate targets and for Microsoft 365 credential harvesting that uses the same TikTok-redirect trick.
| Signal | Why it matters | Immediate checkpoint |
|---|---|---|
| Cluster of welcome.careers* domains | Bulk registration indicates organized scaling and reuse of kits | Block and monitor the pattern; feed to DNS monitoring |
| Google Storage buckets serving login HTML | Legitimate-looking hosting with long-lived SSL and low-cost evasion | Alert on external Google Storage pages mimicking auth flows |
| Cloudflare Turnstile on unknown businesses | Bot checks protect malicious pages from automated scanning | Treat Turnstile presence on nonstandard domains as a risk signal |
| tiktok.com bio links that redirect externally | Trust in TikTok’s domain lowers user suspicion | Audit bio links and consider blocking external redirects in corporate browsing policies |
Operational characteristics that make the campaign scalable
Researchers observed domains registered in rapid succession with a consistent naming pattern (for example, welcome.careerscrews[.]com and similar welcome.careers* names), plus use of bulk registration services and Cloudflare fronting. Those choices let attackers spin up new landing pages quickly when prior domains are blacklisted; combined with hosting on Google Storage, that reduces the longevity of static indicators of compromise (IoCs) and forces defenders toward behavioral and telemetry-based detection.
Concrete steps for defenders and what to watch next
Technical responses that go beyond user training: require phishing-resistant MFA (FIDO2 or hardware tokens) for Google SSO accounts used with TikTok for Business; audit and separate ad-account linkages between TikTok and Google Ad Manager; instrument logs to flag new ad-manager connections and sudden permission grants; and add DNS and certificate monitoring for the welcome.careers* naming pattern and unexpected Google Storage pages. Blocking outbound tiktok.com bio redirects in sensitive environments or intercepting those redirects for inspection reduces the initial trust benefit attackers rely on.
Short operational Q&A
When should you rotate credentials? Immediately after evidence of cookie/token theft or unexpected ad-account linkages; assume session replay is possible even if MFA briefly prevented a login.
Which logs give the fastest detection? Ad Manager linkage events, SSO token issuance records in Google Workspace, and unusual API calls from TikTok ad endpoints; prioritize alerts that combine SSO use with new ad-permission grants.
What policy change to monitor from TikTok? Watch for any move by TikTok to validate or block open redirects from profile bios—if TikTok enforces target-domain whitelists or rate-limits redirects, the campaign’s stealth layer will be harder to scale.
